Posted
by
CmdrTaco
on Wednesday June 15, 2011 @09:54AM
from the oh-yeah-that'll-work dept.

alphadogg writes "Justice Ministers across Europe want to make the creation of 'hacking tools' a criminal offense, but critics have hit back at the plans, saying that they are unworkable. Ministers from all 27 countries of the European Union met on June 9 to discuss European Commission proposals for a directive on attacks against information systems. But in addition to approving the Commission's text, the ministers extended the draft to include 'the production and making available of tools for committing offenses.' This is problematic, as much legal and legitimate software could be put to criminal use by hackers. The draft mentions 'malicious software designed to create botnets or unrightfully obtained computer passwords,' but goes no further in attempting to clarify what 'tools' might be subject to criminal sanctions."

It's a pretty weak law if it can be wholly bypassed by a statement from the software developer saying that it's a security tool and not a hacking tool, though. In reality what this boils down to is yet another law they can use to lock you up if they really want to but otherwise have no good cause. "We assume you're up to no good, we can't find any evidence but... erm... look! you have some software that could be used for naughty stuff. Take him away!"

And this is actually the scary part, that "malicious" will change meaning on a whim. You won't know 'til you have been dragged to court and informed that whatever software you considered benign (because you used it for ordinary, legal purposes) is considered malicious in court.

Dan would later learn that there was a time when anyone could have debugging tools. There were even free debugging tools available on CD or downloadable over the net. But ordinary users started using them to bypass copyright monitors, and eventually a judge ruled that this had become their principal use in actual practice. This meant they were illegal; the debuggers' developers were sent to prison.

Programmers still needed debugging tools, of course, but debugger vendors in 2047 distributed numbered copies only, and only to officially licensed and bonded programmers. The debugger Dan used in software class was kept behind a special firewall so that it could be used only for class exercises.

Penetration testing is a necessary application hardening process that depends on access to the SAME TYPE OF TOOLS that black hats use to break an application. Think of it like viral inoculation: You need some of the enemy code in order to build an effective defense.

Ah, but if they ban the tools the bad guys use, then there's no need for the tools the good guys use - it's obvious! While they're about it, they should ban theft and then make locks illegal because they're no longer required. Oh, wait...

that is a dangerous rule. I have used password crackers on my own server passwords to see how secure my users are. I have used tools that check for exploits to check my owner servers as well.Sure I would love to not have hackers but those tools can be used for as a way to test servers as a way to exploit hacks.

I've been saying for a long time that any code in italics should be treated as a comment, and anything in bold should be an assertion. Rather than insist that it all be indented the same like Python does, just colour your lines in the same colour as the condition or loop.

Why not. Even MS Office... because then they can ban it too. Libre Office and all the like as well....a mass of reasoning discarded... They need to ditch IPv4 so that they can impinge a total control IPv6 on the populace.

There were ways, of course, to get around the SPA and Central Licensing. They were themselves illegal. Dan had had a classmate in software, Frank Martucci, who had obtained an illicit debugging tool, and used it to skip over the copyright monitor code when reading books. But he had told too many friends about it, and one of them turned him in to the SPA for a reward (students deep in debt were easily tempted into betrayal). In 2047, Frank was in prison, not for pirate reading, but for possessing a debugger.

Dan would later learn that there was a time when anyone could have debugging tools. There were even free debugging tools available on CD or downloadable over the net. But ordinary users started using them to bypass copyright monitors, and eventually a judge ruled that this had become their principal use in actual practice. This meant they were illegal; the debuggers' developers were sent to prison.

Programmers still needed debugging tools, of course, but debugger vendors in 2047 distributed numbered copies only, and only to officially licensed and bonded programmers. The debugger Dan used in software class was kept behind a special firewall so that it could be used only for class exercises.

Yes, it's a piece of dystopian writing, but what makes that so scary is how plausible it all is.

Or people, people are the most useful hacking tool. A lot of hacks are done with no more than either a telephone call or a friendly conversation. We should just ban people, get it over with, lock everyone up and be done with it all.

Don't worry, the government is most of the way done implementing this solution. The problem is that the prisons are full, and they can't build any more prisons because the government is broke. The only realistic solution to the problem would be to increase tax rates on the rich back to what they were pre-1980, but that could send the luxury yacht and caviar market into a tailspin.

That's maybe what they have in mind, unfortunately that's not what they have in the law proposal.

That's the problem here, politicians try to make a law concerning something they don't even have the foggiest clue about. They imagine some CSI-esque "click here for big kaboom" Flashgame interface, but the law they propose would hit a lot of tools used to actually secure networks. The problem here is that the same tools that tell me whether I'm secure (from nmap to wireshark) are also the tools used to compromise that security. Making the tool illegal and not the use is a slippery slope at best.

"If you outlaw X, only criminals will have X" has rarely been more apt than this time. Because if I'm out to break a much more serious law, why'd I bother to worry about illegal possession of the tool? If I planned to rob a bank, would I care about illegal possession of firearms? If I wanted to hack the European Central Bank, would I worry about the slap on the wrist I'd get if I was found in the possession of nmap? If I want to secure my network, I certainly WILL worry about that slap, because my job as CISO hangs on my police record being spotless.

We'd have a real trial first, where the accused could defend their stupid idea and point out how it wasn't stupid. I'm not even adverse to an appeal, but at the end of the day, if they create a law or regulation that is stupid and potentially can harm people (like, in this case, secure analysts or, heck, your average decent admin using tools to determine penetration vulnerability), they should be eliminated. Maybe we don't shoot them, maybe we just put them in jail for a while.

While seeing your sarcasm in your statement. The problem goes beyond people abusing a law (AKA, I don't like person X or Group Y and I want to get them in trouble so I will sue them because they use or made some tool which may be commonly used for hacking, while their use for illegal activity is unproven). It is an issue that a tool made for hacking then gets reused as a productive tool in legal usages.

Secondly Illegal hacking (The bad kind) is well umm... Illegal, so these people wouldn't really be morall

Banning computers would put too many companies out of business. We should just ban operating systems. That way all these other tools won't work, and we only put a handful of companies out of business... none of them from the EU.

Not a professional security researcher (as narrowly defined by law?) You're not allowed to possess or create tools that help find security vulnerabilities. That means you, Joe Blow who writes webapps -- you can't run attacks against your own server because the tools are illegal, and you can't build your own tools either. I guess you'll have to release that software untested in certain ways, then hope the black hats decide to follow the same laws as you.

Thank god it's in my job description, so I might actually get the hazmat endorsement. But what about the next generation of security researchers? Will we only get the garbage that gets out of "security colleges"? People who "learned" security research but never "felt" it? Who are used to learning by the book instead of hunting down flaws, who never learned how to actually find the resources needed?

Security is all about NOT going by the book, pushing the envelope and thinking outside the box. And all that is

They obviously don't understand even the elementals of coding.
Now if they really want to get these guys there are better ways of doing it.
But trying to stop Axe murderers by taking them away from all Firemen is just retarded.

This is people in management positions in all levels of society. They are mentally incapable of differing to anyone smarter to them because, in their mind, they are the best and the brightest. It's not hyperbole to say that western civilisation is in crisis because of the hubris at the top (in the boardroom and in the legislatures).

Oh, I do not assume that management people are "dumb". I certainly do not want to trade with them and they would most likely blow me out of the water in anything related to marketing, legal or business administration. I dabble in those three fields to some degree (ok, at least the latter two, I only have to "sell" security to my manager), but I certainly wouldn't hold a candle in these fields to them.

I'm not smarter than my CEO. But I have a different field of expertise, and luckily, he knows that, understa

But trying to stop Axe murderers by taking them away from all Firemen is just retarded.

Or perhaps just requiring anyone who owns an axe to register with the government? Even further, perhaps only allowing people who work for a particular agency (the fire department) to own an axe? You already see this approach taken with things like guns, and with people refusing to shut about about "cyberwarfare," it is only a matter of time before they start equating programming and debugging tools with firearms.

Here in the US, we already had that happen. ITAR classified cryptosystems as munitions, and the same criminal penalties applied back then as exporting nukes.

Same crap all over again... we had discussions of exactly this on the cypherpunks list in the mid 1990s. The only difference was that the Four Horsemen of the Infocalypse were theories for the most part, not something happening in reality.

Sad thing is that pulling "hacking tools" will not stop the intrusions. They will still happen -- only the white

The analogy fails because guns can only do one thing -- hurt. Their primary (and often, only) purpose is to kill and maim. That they may be a deterrent is an epiphenomenon because first and foremost, they are weapons with one intent.

Tools are different. That they can be used to harm is incidental. Their purposes are many and varied, but often productive.

A better analogy would be knives. You regulate those in areas where they could be used to cause harm (e.g. planes), but allow them elsewhere (e.g. kitchens)

Dammit, I've been missing all the maiming and killing in the biathlon and modern pentathlon events in the Olympics?

Jocks can and do enjoy the skill involved in target shooting without wanting to kill or maim, in exactly the same way that nerds can enjoy the skill involved in white-hat hacking, without wanting to steal and destroy.

Even that's a poor analogy. These same tools are used to ensure security and prevent hacking. By saying only government licensed vendors could use them you will price many smaller companies out of their security solution. The ones who intend to use the tools for crime won't care that they're illegal - their actions are already illegal and it's not stopped them. All you will do is reduce security for lots of small to medium businesses while making it more expensive for everyone else (and recent events show e

you now understand politicians.. ALL OF THEM are retarded. Every word out of their mouths. WE only elect the ultra rich, and for some reason all ultra rich that have political aspirations are retarded.

for some reason all ultra rich that have political aspirations are retarded.

That's easy enough to explain. If you're ultra-rich and smart, you'll spend the rest of your life on an island getting blown by native chicks. If you're ultra-rich and still human enough to feel guilty about what you've done to get that way, you'll be a philanthropist. Only the ultra-rich, sociopathic, AND stupid end up in politics.

Why do you only elect the super rich? The MEP that I voted for (and who got in, and is now serving her third term) is an active member of the FFII and campaigns against this kind of crap. She's the only one of my elected representatives that I don't feel that I need to chase to actually represent my interests - whenever I write to her with concerns about EU decisions, I get a brief reply saying 'already working on it'.

Why does anyone elect the super rich? They control the media, either directly, or through advertising, or through the old boys' network, and the average person doesn't read much beyond the headlines in their tabloid of choice before deciding which way to vote. The handful of people who do weigh up all the available evidence (and even there it's skewed by those with the money to get their message out) are not present in sufficient numbers to prevent the distorting effect of everyone else.

How does one define "hacking tools?" Debuggers are pretty useful for hackers, as are things like netcat/socat, any of dozens of programming languages, and just about anything that lets you work at a low level. This does not even get into the legitimate uses of pen testing tools.

Oh, wait, let me guess: people will have to register with the government to use any of the above?

Just do it the same way we define "burglary tools". If you have it on you and you are committing burglary, it's a burglary tool. Otherwise, no big deal.

I can carry a flashlight most of the time and not get hassled. But if I'm walking out of a business late at night with a sack of computer bits that don't belong to me and get caught, I'll be charged with theft and possession of burglary tools(the flashlight).

Software that is the equivalent of lockpicks(dunno, wardriving kit?) should still be legal, but som

You can't just ban software. There is absolutely no practical way to stop people from sharing code, and there fucking shouldn't be. If you ban these tools, the only people seriously affected will be the white hats.

The end game may be more sinister. The goal is not to ban software, but to make a legal requirement that people register with the government to use certain kinds of software. This is naturally a good thing for large software companies, who will face less competition from smaller organizations and open source projects. It will also give law enforcement agencies one more way to arrest people who dare to write scripts or use debuggers without the proper paperwork.

certainly any OS that comes from "open source" should be banned as it can modified to do bad things. Why, I happen to gentoo can even do bad things to a network right out of the box just by typing in an address already in use. Good people would never use such a system

This. It amazes me that people still think that registering folks for access to what are considered dangerous tools or even worse, banning them altogether, is some sort of panacea that will magically protect everyone from the presumed harmful effects. If I ban guns, then only criminals will have guns. If I ban "hacker tools" (whatever the hell that's supposed to mean), then only criminals will have hacker tools. If I ban bad car analogies, well, you get the picture.

It still amazes me how people seek legislative solutions to what are purely technical problems. Hey politicians: you're doing it wrong. If you're going to legislate something, then legislate the use of memory safe programming languages and proof carrying code. Security problems would be mostly solved, and software would have fewer bugs overall to boot.

If you're going to legislate something, then legislate the use of memory safe programming languages and proof carrying code. Security problems would be mostly solved, and software would have fewer bugs overall to boot.

That'd drive up the cost of software development. People write buggy, insecure code because it's fast and cheap, and that's all the end user is willing to pay for.

That'd drive up the cost of software development. People write buggy, insecure code because it's fast and cheap, and that's all the end user is willing to pay for.

I doubt very much that this cost would be less than creating legislation, enforcing it via criminal investigations, trying the accused in our overburdened courts, and housing these criminals in overflowing prisons. Legislation should always be the *last* recourse, not the first one.

Depends. I wouldn't object to a law requiring formal verification for financial systems, because the banks just pass the costs of compromises on to their customers and so the people making the purchasing decisions are not the same as the ones who will pick up the bill for bugs. For consumer software, it just wouldn't make sense.

Let's be clear here folks. By and large the majority of the readers here are programmers before any political affiliation is factored in. That puts us all in an uneasy tension with politicians because we and our industry are, at heart, antithetical to everything they are and stand for. Understand this please -- political science is a study of emotion, and the use of those emotions to sway mindless masses of people. Programming is a study of logic, a

and it doesn't stop their use, why would banning their possession stop them? I fail to grasp how anyone can come to the conclusion that someone intent on criminal activities would mend their ways simply because another facet of their operation is made illegal. Guns aren't the problem, network security tools aren't the problem. People are the problem. If you want to solve the problem you're going to have to ban them.

If the Apple iOS/app store model is any indication of things to come, pretty soon PC's will be as locked down as consoles and cellphones. You won't have to worry about running any unauthorized code because the good folks at Apple, Dell, etc. will force you to get all your software through their app store.

The concept of banning "hacking tools" is just silly. What would these people consider a hacking tool? SSH terminals since they allow people to connect to compromised systems or to connect to machines with "hacker tools"? Or what about IRC servers since many bot networks have used them or offer the ability to let people talk about hacking?Even some of the biggest "hacker tools" are used for real network and server analysis like winshark and the like.

Don't fine the hackers for finding the exploits, fine the developers for not finding them. The software developers are the ones making money off the software

In what bizarro world are you living? Most developers make money by collecting salaries, not selling software. Do you think our income is tied to revenue? I WISH! If you want to hold companies responsible as a whole, great. You want to impose penalties on companies for security problems that affect people, great. You want to impose fines on me, person

These people are complete morons. Anyone with Firefox and a couple HTML dev addons can perform the exact same hacks that have been going on against Sony, Software Companies, and FBI contractors. Who the fuck lets people with no understanding of the issue legislate it?

The onus of the hack rests SOLELY on the person managing the network, and not at all on the people who stumbled upon a URL that lets them see passwords and usernames. The problem part of 'hacking' is that you assume unauthorized access to a com

In physical security, you should always assume everyone has a lockpick. Likewise, in internet security you should assume everyone has metasploit, nmap, wireshark, etc. Building systems that are secure from cracking is not hard (protecting against a DDoS attack effectively is much more difficult). If you hire the cheapest external developers and contractors you can find to build your financial services website, don't be surprised if it's easily hacked. Good engineers should have no difficulty analyzing syste

As a network engineer and someone who uses BackTrack [backtrack-linux.org] at least once a week for penetration testing, it is obvious to bme that the people who come up with these laws have no idea about anything related to the field of network and server security. Why are these morons making the decisions?

Yes, to some extend I can actually read hex and convert to asm in my head. It is something you learn practically as a side effect when writing a software emulation for a CPU. Calculating addresses is a hassle, though, and I wouldn't do it unless I have to, but it is entirely possible, just very time consuming.

Why should the public be allowed to have software/web development tools? Where are the tax revenues in that? Where are the profits for big business? Writing your own software and designing your own website are like theft!